🐝 Hive Five #37 - Make it rain

Hi friends,

Greetings from the hive!

I hope you were able to do something you looked forward to this weekend.

I finished last week's investigative podcast. I highly recommend it if you're into that sort of thing! Something quirky I did the past week was running in the rain. I've done it before, but this time it was intentional. It turns out it feels like any other run.

I also discovered a great new podcast to feed my nerdy productivity needs called Automaters. I'll link it in the audio section.

Let's take this week by swarm!

🐝 The Bee's Knees

1. $50,000 Shopify access to source code via leaking GitHub token - Hackerone bug bounty: This video is an explanation of $50,000 vulnerability in Shopify bug bounty program that allowed push and pull access to all Shopify repositories on GitHub. It was achieved by leaking GitHub API Personal Access Token by one of Shopify employees. The bug was reported on Hackerone by Augusto Zanellato

2. FAV/E - Find A Vulnerability/Exposure: To be a successful bug bounty hunter, you must be on a continuous search for new vulnerabilities and exploits. Aside from staying glued to infosec Twitter feeds, one of the best ways of introducing yourself to new vulnerabilities and exploitation methods is to stay up to date with the latest CVEs.

3. 5 RCEs in npm for $15,000: In this post, they will discuss the root cause of these vulnerabilities, as well as briefly walk through the exploitation process. They’ll also include some thoughts about bug bounty in general at the end. CVE-2021-39134 affects @npmcli/arborist. The others affect node-tar.

4. Disclosure of three 0-day iOS vulnerabilities and critique of Apple Security Bounty program: Sharing their frustrating experience participating in Apple Security Bounty program.

5. Apache Dubbo: All roads lead to RCE: During an audit of Apache Dubbo v2.7.8 source code, Alvaro found multiple vulnerabilities enabling attackers to compromise and run arbitrary system commands on both Dubbo consumers and providers.

🙏🏻 Enjoy This Newsletter?

Share with your friends or buy me a coffee.

• Get $100 to try DigitalOcean. The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.

• TCM Security Academy - courses, bundles, gift certs, and access passes. Cybersecurity Training That Doesn't Break the Bank. Don't overspend on your education!

💌 Want to sponsor an issue?

🔥 Buzzworthy

✅ Changelog

1. reconFTW v2.1.0: New minor version, with some cool changes, fixes and a useful new "-c" (custom) mode, it will run a chosen standalone function on an already scanned target.

2. BeeSecSan teases the next version of PyWhat: The next version of PyWhat is going to be absolutely amazing for bug bounty hunters....

📅 Events

1. BSidesSF 2022 Call For Participation: BSidesSF is a non-profit organization designed to advance the body of Information Security knowledge, by providing an annual, open forum for discussion and debate for security practitioners.